1dent1ty cHa0s

In my last expose on Jerry Camel's SQL processing script for building Delta snapshots I mentioned you'd probably really want something like this for Attribute Level Change Notification (ALCN).   You see when MIIS processes a typical delta row it still has to analyze each column of data to find the field that changed so while you cut out thousands of records to sift through, you still have to sift through each column.  With ALCN you are actually telling MIIS "this is the row and this is the field that changed" and the processing engine will ignore data in the other columns whether it changed or not (go ahead and try, it's geeky-cool).

If there is a pecking order to speeding up DBMS based imports I would probably recommend this in order of difficulty:

1. Copy any remote data sources locally first (for data sources that are Read Only) or use Linked Servers and a View (for data sources that are Read/Write) to access the remote table as the original.  Importing data from a local source speeds up Imports significantly (30%-60% in ILM 2007, as much as 80% in MIIS pre SP2).
2. Create a Delta Snapshot of the table.  Importing only the changed rows will allow you to go from multi-hour imports to multi-minute imports depending on the frequency of data change in your source.  You'll also be able to run imports more often.
3. Modify your delta snapshot process to expose only the changed fields using Attribute Level Change Notification.  Removing the need to process the unchanged data can improve Delta processing by a further 30%-60%.
4. Build an XMA to combine all of the above.  The XMA has the added benefit of distilling your data source into a simple file import which is always faster on the Import stage.

If you are really a SQL nerd there are further tricks that are beyond me depending on the data and the size of the data sets involved that involve when you should truncate tables, drop/create indexes, or modify the data in flight (like converting empty strings to nulls, etc).

So, enjoy Jerry's latest masterpiece with full Christmas spirit (this is a big deal for Mr. Camel, so don't overlook this one!) - there's no lump of coal in your stocking this year my fellow MIIS fans!

Digital Camel: Uncovering the MIIStery of Attribute Level Deltas (In Holiday Verse)

For those of you that are more SQL inclined and hate the GUI - Jerry Camel has documented how to build delta table structures using templates within SQL Server Management Studio.

Trust me, building your own delta views for DBMS based Management Agents are essential; just wait until you try your hand at Attribute Level Change Notification, you'll be wishing you had something like this!

Digital Camel: The Same, But Different

So, if you haven't already caught on to the fact that you should be watching Jerry Camel's blog this post should cinch it for you. Jerry's witty style and imaginative use of prose keeps a very techy subject fun and informative; something I strive for but never quite seem to accomplish.

In Jerry's latest post he discusses how he was able to fix some issues that cropped up late in production on a Workflow MA we did earlier in the year for a much more interesting Delayed Events processing system in ILM 2007. I won't spoil the fun, get comfy, grab a snack and settle in for the latest tour-de-force entitled:

Digital Camel: Cider, Workflows and Just Enough Knowledge...

Now I need to get Sean Murphy (even if he is from Arkansas) blogging as well - you'll love Sean's raw insight on practically anything, really, check out his views on Social Networking if you don't believe me.

One of the questions I've been getting lately is when should you be using Windows CardSpace vs AD Federation Services. There is pretty good evidence that the adoption of a claims based programming methodology is fast underway and we get that, but which model should I be moving towards?

Windows CardSpace

[claims based, high anonymity, low entitlements and a fancy icon]

Windows CardSpace is the technology or framework behind how InfoCards (managed or self-issued) interact with the Windows platform.

Self-issued InfoCards have a high degree of anonymity built in and I expect most InfoCard secured sites accepting self-issued InfoCards to have little if any in the manner of derived roles or entitlements. For instance, you might have a Moderator role for a forum but that entitlement is managed and awarded through the site and not based on some aspect of your identity.

Managed InfoCards are InfoCards that have been signed by a trusted third party. This neutral provider has independently verified certain information and now sites that trust this provider are assured that the certified information is valid. In solutions based on Managed InfoCards I can begin to see more derived roles and entitlements begin to take shape where you may be assigned the Submit role for an application once employment has been verified. Basing role entitlement on an active employment status with a company becomes trickier in this scenario since the company doesn't have a dynamic method of invalidating a Managed InfoCard provided by a third party. This is where the AD Managed Card provider will come in very handy in the Windows Server 2008 timeframe.

For more information on Windows CardSpace and InfoCard:

• Introduction to Windows CardSpace
• Windows CardSpace Forums (MSDN)
• Kim Cameron's IdentityBlog
• Pamela Project
• HTML and ASP.NET 2.0 Kit for Windows CardSpace

Beginning Information Cards and CardSpace: From Novice to Professional (Expert's Voice in .Net) by Marc Mercuri

Understanding Windows CardSpace: An Introduction to the Concepts and Challenges of Digital Identities (Independent Technology Guides) by Vittorio Bertocci, Garrett Serack, Caleb Baker

AD Federation Services

[claims based, high entitlements, low anonymity and NO fancy icon]

ADFS is the technology behind true business to business solutions where clients expect to leverage their logged in credentials (the ones you used to sign-in with at work) to access not just corporate intranet based applications but extranet applications hosted by trusted vendors and partners. The goal here being that you are leveraging the same logon to your corporate workstation to authenticate to applications hosted by trusted business vendors or partners.

ADFS solutions should tend towards highly entitled users with little to no anonymity on the resource side. This is because the typical solution will be driven by business requirements surrounding the need to automate access to partner applications simply by being a member of a specific set of security groups. Resource providers will likely insist on auditing access to their applications so that throws any hope of anonymously consuming the service out the window.

I tend to visualize the two technologies at opposite ends of a spectrum with managed InfoCards smack in the middle.

Depending on how you scale the spectrum, solutions based on Windows CardSpace could quickly begin to outnumber solutions based on federation and it will certainly appear so to the general public as InfoCard adoption will be much more publicized and evident - especially with the fancy icon!

My prediction at this stage is that managed infocards issued by enterprises and consumed by their partner applications will ultimately win out due to the lower complexity and lack of a dependency on infrastructure.

For more information on ADFS:

• Introduction to Active Directory Federation Services
• ADFS Concepts
• ADFS How To

If the Delta View topics in the MIIS Getting Started series left you a bit puzzled or if SQL just isn't your thing and you need a little help building delta views for your database MA's then look no further!  Jerry Camel has created a GUI driven tool to automate basic delta view creation aptly called the "MIIS Delta View Creation Wizard" or the MDVC for short.

Give it a test drive today and be sure to leave Jerry with some feedback!

Digital Camel: Delta Dawn...